Ransomware attack in Windows 1809 - Please help

My PC having i3 -2^nd generation processor with 8GB DDR3 RAM recently got infected with ransomware. The only software I recently installed was of Nvidia’s graphic driver of GTX 1050ti 4GB from its official website. I have a habit of checking https also. Okay here are the series of events which happened before the ransomware attack.

1. My PC had initially Nvidia GTX 750 – 2GB graphic card which is now two years old. It stopped working, ran out of warranty. My PC won’t start.
2. I bought a new Graphics card, installed it, installed the drivers from their legit and official website.
3. The next day I get ransomware in three folders of mine in E: partition of my 500 GB hard drive. It has two partitions. C is the system one, E is the other one.

They are the first three folders in my E drive if I sort them alphabetically. They didn’t have much data in them. I was really happy as all the other folders of mine were safe, and the entire C drive was safe. I then disconnected the LAN cable from my PC as a safety measure.

I called up a friend of mine who faced ransomware attack two months back. He is saying that I must not be happy as the virus can spread to other folders as well even after I scan my PC with any new antivirus. I was not using any 3^rd party antivirus. I was using windows defender only. My windows version was 1809. I don’t remember the full version that has many decimal numbers after 1809.

Please help me what should I do. I have not switched on my PC since the last seven days believing it to be a Pandora’s box. I’ve been using my laptop intensively ever since.

The encrypted files have the extension of ioyhnnr

Is This a FULLY Reliable Method to Recover from Ransomware? By Chuck7
Is This a FULLY Reliable Method to Recover from Ransomware? - Windows 10 Forums

I recovered 2 ransomwared computers last year by relying on that thread.

MeAndMyComputer said:

Is This a FULLY Reliable Method to Recover from Ransomware? By Chuck7
Is This a FULLY Reliable Method to Recover from Ransomware? - Windows 10 Forums

I recovered 2 ransomwared computers last year by relying on that thread.

Thanks a lot for replying. I'll explain my condition.

I don't have any external hard drives with enough storage that can backup my entire PC hard drive. I have only one hard drive that has my backup data and that too is almost full.

My PC has two hard drives installed in it.

1. A 12-13 year old hard drive of 80GB capacity, Maxtor brand. This is called G:. One single 80GB partition.
2. A one year old WD hard drive of 1TB capacity.

The WD hard drive has two partition.
C: partition - 120 or 180 GB, I can't recall. This is the system partition where windows and all my software are installed.
E: partition – 920GB or whatever remains after subtracting from 1TB.

Now my plan is
1. Do all the procedure while my internet LAN cable is unplugged.
2. Format my C drive, install Windows 10 into it.
3. After my PC boots up, I just take important files from E: partition in a 16 GB pen drive.
4. I install an antivirus, scan my entire PC for infection.
5. If my antivirus shows all clean results, I connect my LAN cable.
How does this sound?


Another question, how did my PC get infected in the first place? No USB drive was inserted in it. No software was installed. No suspicious or stupid infected adware kinda website was visited. I was the sole user of my PC and I knew exactly what I did.

"first three folders in my E drive if I sort them alphabetically. They didn’t have much data in them. I was really happy as all the other folders of mine were safe, and the entire C drive was safe."

I'm skeptical that it's ransomware which I've been hit with before. It will encrypt ALL your common ext's like .jpg, .mp3, .doc, etc almost instantly, not pick out 3 folders on a non-C drive. Were you asked via a message how much to pay to decrypt these ? If not, it's a different issue from ransomware. I assume you tried simply changing the ext, to test ?
Not likely it was Nvidia but something hiding in registry from an add-on or similar that activated on next boot. In my case, had to wipe drive and reinstall then restore data from backup, fortunately done the day before. Good Luck

I would follow mrgeek's information.

mrgeek said:

"first three folders in my E drive if I sort them alphabetically. They didn’t have much data in them. I was really happy as all the other folders of mine were safe, and the entire C drive was safe."

I'm skeptical that it's ransomware which I've been hit with before. It will encrypt ALL your common ext's like .jpg, .mp3, .doc, etc almost instantly, not pick out 3 folders on a non-C drive. Were you asked via a message how much to pay to decrypt these ? If not, it's a different issue from ransomware. I assume you tried simply changing the ext, to test ?
Not likely it was Nvidia but something hiding in registry from an add-on or similar that activated on next boot. In my case, had to wipe drive and reinstall then restore data from backup, fortunately done the day before. Good Luck

I checked my music folder. All mp3 files intact. My all jpegs intact in the photographs folder . I checked many folders. The files are all working fine. All were super fine and working.

All the encrypted folders (which are the first three one only) had a notepad file in them giving me the instructions to visit a website by using tor browser. The notepad file did not tell me the exact amount. It only gave me the link which I have to visiti in order for decryption.

I also checked subfolders in the other folders to check the infection. I couldn't find any infected ones. The alphabetical pattern is the only thing I have figured out. Yeah, I did try to change the extensions of the encrypted files but that didn't work.

So you're suggesting that the root of this ransomware lies in the registry or on a macro level speaking, in the C partition probably.

So, if I wipe out C drive, I have at least 90% probability that I'm safe. yeah?

archz2 said:

...All the encrypted folders (which are the first three one only) had a notepad file in them giving me the instructions to visit a website by using tor browser. The notepad file did not tell me the exact amount. It only gave me the link which I have to visiti in order for decryption...

If you can extract a copy of the .txt ransom note or an encrypted file from the system, you could use the below service to identify the (ransomware?)
https://id-ransomware.malwarehunterteam.com/

Here's some information about the above service from Emsisoft
Emsisoft: How to identify your ransomware infection to find the right decrypter tool

Once you've identified the strain of ransomware that you've been infected with, you could look for a decryption tool/clean-up tool for that particular strain. All major AV software vendors provide decryption tools for various ransomware. You might find the below sources useful

https://www.thewindowsclub.com/list-...ecryptor-tools

https://www.nomoreransom.org/en/index.html

https://noransom.kaspersky.com/

https://www.bleepingcomputer.com/dow...re-decryptors/

https://www.avast.com/ransomware-decryption-tools

Okay. Thanks a lot for your valuable post. I was able to identify the name of the ransomware. GANDCRAB V5.0.4 it is. I tried the decryption key of bitdefender and avira and they weren't able to decrypt the files. I also checked my folders again. This time I went deeper to investigate in the sub folders. Everything is safe. As mentioned in the original post, only first three folders are damaged. My C partition data is safe. E partition data is also safe. I also checked my program files for various installed software. They are also safe.



As of 16th december Gandcrab 5.0.4 isn't decryptable as posted on this web page.
GANDCRAB V5.0.4 - Ransomware Help & Tech Support


-------------------------------------------------------
I am sharing the ransomware note as well which was found in the computer.



---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .IOYHNNR The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.The server with your key is in a closed network TOR. You can get there by the following ways:----------------------------------------------------------------------------------------| 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/ab315da96288186f | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION!IN ORDER TO PREVENT DATA DAMAGE:* DO NOT MODIFY ENCRYPTED FILES* DO NOT CHANGE DATA BELOW---BEGIN GANDCRAB KEY---lAQAAOvKjQBm6B6wQTfCIh2rSQyEnVl3gBdWoiUiLa+vvDKziEsgLjR8/4PLiDj4f6Qy88gkEgq4AvyIuCM3NPPF/nWfSQy8y3OBOv7DxqdwGvaA8uZigTcvIdPexfhNniz3uL2gT4zIcfmi6up0jaz1SLB8dXvK9L5LbDQH00x5SGcX/iL5LRxvBYO8h56dB38tESz2kdaf/WkLVWeGoH4fCJdEH3rwTJphbVwvWumtiLFx8aFoR0tr4nMRyv0AKCrla3FNxGXn+xc5Vy9WIeGngwLJvWKa2uRrBeXW+PvTeZ8Gv ckPcAs5VC4Lf4+dTQeC33+PlkuFdEAmMFgh+WN3gW/s1FN8wfQ8qMA9AjmD4zA73iGNgdfXMj0UtLaHGAk5xfKml2iXww7vlZHeUoZ5jYKAsjAdmzGAVEfsRIPwNwqDu7rCjzLzhCFuYLr jA99d1WoKHcNmExiMk7tbMt4PNVMNEZoPizbF27+ccf2PzLLltIiK6Dex5ooNhBIQFeC5YbTMhPu25VC67G82B/kL8WAGgi4VkMA/+4aQReJ+9ZjIhpgVLgHFqIufZByw6+xoC3DDGlAjTKskGLOSFYEHdLXJdiYJCBiwzc/Biv/VhzzYjexmNmdDRm+BzZxKGyrHhuPbMvrZsYHcNFwD0KmxN6TQvGekiSQSbkVS1yjQx8pk4fDAIq4EDIUElOCTIteippHXP9lL9m1 eC3Np4cWpJZLJLQpUEAGP51Mp/PIVvHC1fmUASxYM+WtVHQQha9KmMMSEPjVNCPoqIax67/azr97noBU5vwgyJNUDXHe1obbQqEsOY7bSbylKXgvPhVvLLR9Ji5PlPCuc99XJfP1YpoSDyrz58EkOwZ2n/tMoboy9T6dBuI0XwjwbEmNRTq9IuZYeCcixvDR/VuloskoVV1oo6eaDa6zsZ8Xkkgcdh1pg0hMrYVeE1hY/adAvhlx3yzIVMPmTbF532E9HMSCKnL70HqlLoRWdPdPLgWdwmDEg9wpujvrMQMk33v6tMzu8Ia8zQdjS2SaLiFkL1auFe5pii1Xo gpGCc0moQM4Jbv1DuXGnRNIg2Vx+BPN9ga29dPQijYLOPVfXLQ+ExCTYGPSvkL1AY40wE/HXm5mw5Qd3Ii3UNUlhE2SXX/7HMYIPvZUAKeZ9BEneeOauM0GkoRKDdYUZgUk/xyGtRD8THtQSF4xUUjsVbC2i/qDuuBzUnoMMhiLdqY6+U06ifU6UzfYuta3CC+RfKI7L489wHyXTWvm32V33qz1NOBjV4hcIpOFWkvI0xc4agO+1srJxzN8oFzbWV NF8xHdCJ9O6B1uGwllI/KIAndKBrEquSZPlqsDXcTUM2dTpxJfQrWzZKYuSXwhshI0NgGBhBDxVKH05utvVuNToH5q66GSq5JKklOBif5nyCKWLhh43oA+hJ bco6VR4g/r85ogKgjhUVYfWcHj8rbSugdqqZThdXfb5xFbhD+VkSI3S3VLMgx6rpMpRP/N6VERHRw7kNzLqaFO/osidtRekzm8KdPZER692ki6q/IogmcMF55B63GkdTKblyq+bXUznoDWPgtQpjAg3fiK7+7sSKLm6XCn++OZseQ2/XlCV1dtwed6vvRpezvt6HkRbRol5YRzxzlKWvPvobHQESau0an9bMSgQHHjBuaoWDax5uvFndqFDSE4dNKe6YPDkYDiIMsgeIYgf ETcwfUxsZQuPYE+u0C+kdPENpE3yIEV9YWeKAWir/kVJA7Q92hXTUvAXPDrUxQ9n99LvzvUmLQQYJDDDiaZ6W2yYe/NoKHkp/8vu6epSIS4JKJhqBqmklTi7ocID+uiv9w7OKBC8FEhXaF78PrkrLsIjVif+yGGgU3LjhBASQAWORcf+OfaXGPE21YKBrk0j91CnK MoCGDONab0mFeSfhoJSif28VxNb62HryvYdTkea7DxgQRh9fGhOfArmAEjiFJ/yhDO2IpZfdiJc3bronByoD4552i/xp/PgQGxsmXgzUAalilE4Elx+GUi/c48gwJiI5Py4cSV8bp84qDClxi0jvKHnhlKP3uRqzpv23KYYMRasT76ctofWTS/6i/kHHrp0hQFQtXJ6rxFlbGpkSR40Ht713CYLNJJj0+qbXXBJ4TlYHE0s4zH3312hjogJtFqM/z4wwiKyERKdccmCgE9WM6+CL+oM4gpoHlvgXSoeI1OHG+KBdwFT3MNToPkuAdpGFoGvLOpoOIjHwCdkDtr1L78RJLQ=---END GANDCRAB KEY------BEGIN PC DATA---wfKD6iudumBkmpL8IRr4U4exJ1aPOU7t4DxfOoX1+lYKvM6WGx5/YYRdw5ZDTvFRjnY87mdWi7f0TEyHxR4nBLvzqdM274T6aUGoDBniQJJY843FFP/rmHioHZADLv6jx/xY2WXxNJKTiqGhWkSpAuIArLZkONSXy7nzbWIkRXQCbbiW7cCvYY9YF6SExswpBI4j25yAQVKvZB5VpwPbuU3cBCJ62POMJEO8MP sP0opTLBOTIpxympIoUHZuP4g/UvrG1t5zhja4jZ9AUnggl4JnaN07CAAxfg7dDNIrvH1eSnLFUQ/4keQtPNiuqY+n8bqo5/1ilrEskQzBteLm/yY2U+t/GphYOVqVBnjt7hG5EYsb+CdW4tS4c6bnY89yf4zh2Sqin5RYTTAqM1PQJNsJ95FlwIMoVhPLnK4+D+4LAO6fhGEwg65rIA3hxA9K yA7xZnnpHxEV3qHLZeak13UZO3RgRiyKFDmk1iXgG38OmU/fnSzxQUhnmrImlsyw6nIIVYbpfDfrfBUcfcBmP39Nhn9SQ3PC3aZFEuTtK0iuBZVMGJH/HuwOBb+mRawP0IkRV6Xu5LPMzMX9MXYHh8oz6+xIRfVtV//cbiDWveITXpFeMtQi9EphOlLV2r5gkmnaLVczhQtzfm35aGEniVcEu7J3T9/bHAFzKdH/yDNtdHU3sW4HfayU53JsLe+8Xh0GXa0DQdYgjS/fngqYwiEukcUimJfgtIr+OgttaSsTDkVI0hsiYB4CsbxcZkMy9MsVO8mlY0/QrqpOl485Q7nD1e7z47rl5S2j3IJhMPnR57k1ycqIV4sJ0hUCieDd0ijkDq/vF/Hcl+4FTgNWeZHqu6fwL/fB47MyvWwDRl3gZp9d+E6PPrVOL52BC/gr9TrSgPm8MLDCA6DEWZXMCkNXg+0=---END PC DATA---

@archz2: If the files encrypted by the ransomware were valuable to you, hold on to a copy of those encrypted files along with a copy of the ransom note. A decryptor may become available in the near future. Also, sometimes after a ransomware has gone out of fashion, its developer would sometimes post a decryption key on sites like Bleeping Computer or others as a "goodwill gesture."

PrivacyFreak said:

@archz2: If the files encrypted by the ransomware were valuable to you, hold on to a copy of those encrypted files along with a copy of the ransom note. A decryptor may become available in the near future. Also, sometimes after a ransomware has gone out of fashion, its developer would sometimes post a decryption key on sites like Bleeping Computer or others as a "goodwill gesture."

Okay. But those encrypted files do not carry virus, do they? Where does the virus actually reside in the case of a ransomware attack?